The vulnerability identified as CVE-2024-13689 affects the Uncode Core plugin for WordPress, versions up to and including 2.9.1.6. It is classified under CWE-94, indicating improper control of code generation, specifically code injection. The issue stems from the plugin allowing authenticated users with Subscriber-level access or higher to execute arbitrary shortcodes without proper validation before invoking the WordPress function do_shortcode. This function processes shortcodes, which can embed dynamic content or code execution within WordPress posts or pages. Because the input is not properly sanitized or validated, attackers can craft malicious shortcodes that execute arbitrary code within the context of the WordPress site. The vulnerability requires authentication but no additional user interaction, making it easier to exploit by any user who can log in with at least Subscriber privileges. The CVSS 3.1 base score of 6.3 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. The impact includes potential unauthorized disclosure of information, modification of site content or configuration, and disruption of availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin. Since the Uncode Core plugin is widely used in WordPress themes for design and layout, many websites could be affected if they have not updated or mitigated this issue. The vulnerability highlights the risk of insufficient input validation in plugin code that handles dynamic content execution.

The exploitation of CVE-2024-13689 can lead to unauthorized execution of arbitrary shortcodes, which may allow attackers to perform actions such as data leakage, content manipulation, privilege escalation, or denial of service. Since the vulnerability requires only Subscriber-level access, attackers can leverage compromised or low-privilege accounts to escalate their control over the WordPress site. This can result in defacement, injection of malicious content (e.g., malware distribution), or disruption of site availability. For organizations, this can lead to reputational damage, loss of customer trust, and potential regulatory penalties if sensitive data is exposed. The medium severity score indicates a significant but not critical risk; however, the widespread use of WordPress and the Uncode Core plugin increases the potential attack surface globally. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once details are public. Organizations relying on this plugin should consider the vulnerability a priority for remediation to prevent exploitation.

1. Immediately restrict or review user roles and permissions to ensure that only trusted users have Subscriber-level or higher access, minimizing the risk of exploitation. 2. Disable shortcode execution for untrusted user inputs or contexts where possible, especially from low-privilege users. 3. Monitor logs and audit trails for unusual shortcode usage or unexpected shortcode execution patterns. 4. Apply principle of least privilege for all WordPress user accounts and enforce strong authentication mechanisms. 5. Keep the Uncode Core plugin updated; monitor vendor announcements for patches or security updates addressing this vulnerability. 6. If a patch is not yet available, consider temporarily disabling the Uncode Core plugin or replacing it with alternative solutions until a fix is released. 7. Employ Web Application Firewalls (WAF) with custom rules to detect and block suspicious shortcode execution attempts. 8. Conduct regular security assessments and penetration testing focusing on plugin vulnerabilities and shortcode injection risks. 9. Educate site administrators and developers about the risks of shortcode injection and secure coding practices to prevent similar issues in custom plugins or themes.